[unisog] Request Opinions on Anti-Virus Software

Russell Fulton r.fulton at auckland.ac.nz
Sat Jun 4 01:03:27 GMT 2005

On Fri, 2005-06-03 at 20:18 -0400, Gary Flynn wrote:
> Andy Johnston wrote:
> >Hi, folks.
> >
> >UMBC has a site license McAfee Anti-Virus software and a server on our
> >network that mirrors DAT updates.  We've noticed that we are frequently
> >seeing malware infecting campus systems well before (sometimes several
> >days) the DAT update that handles the problem appears.
> >
> >Has anyone else had similar problems?
> >  
> >
> We see the same thing with Symantec. Except for unusual
> conditions, the updates available using their LiveUpdate
> service lag the ones available for manual download
> on their Intelligent Updater site by a couple days.

We are also a symantec site for desktop and currently Sophos & Clam AV
for email server. I generally concur with Gary's opinions on symantec.
I'll add that we have  getting reports from IT support staff of
instances where they run NAV on a box find nothing then run a spyware
tool over it and suddenly NAV leaps to life and starts quarantining
files it previously ignored. It looks as if some malware is capable of
hiding form NAV but the spyware software finds it and removes what ever
is hiding the files so NAV then detects them.

We are dealing with the "lag" problem  by quarantining all mail with
executable attachments and making it moderately difficult for people to
get them out of quarantine.  After a bit of fuss at the start things
have settled down and it seems to work well.  We have also implemented a
web based dropbox for people who want to send large files or executable
attachments.  (The system sends the addressee a mail with a long
'random' url where they can pick up the file.)  We are going to add a
few tweaks and then make it available for folk outside to leave files
for addresses within our network.

Since we put in our quarantine system we have had no major email worm
outbreaks on campus.  We do still get the odd one in vial Web, POP or
IMAP based services beyond our control but these are generally handled
by the desktop AV.

Our record for Symantec to release a def for something that we had a
problem with was 4 days but this was very exceptional.  (I think that we
somehow got hit by something that missed just about everyone else so we
had to wait for the weekly update rather than the fast update.)

Cheers, Russell

Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050604/38adce12/smime-0001.bin

More information about the unisog mailing list